Interesting People mailing list archives
Social Security numbers and passwords
From: Willis H. Ware <willis () jake rand org>
Date: Fri, 02 Jul 93 14:54:07 PDT
Ohringer () DOCKMASTER NCSC MIL asks about the use of some or all of one's SSN as part of a scheme to assign computer passwords. The scheme is not described in enough detail to really answer his questions, but some comments are possible. It might be an innocuous or a dumb idea depending upon details of the usage. 1. First, if the last 4-digits are supposed to uniquely point to a password, it follows that at most 10,000 employees can be handled. Worse, though, there is a reasonable probability that there will be duplication among the 4-digit tails of some random collection of employees. Unless the 4-digits were combined with something else, the mapping into passwords might not be unique. If duplication must be avoided, then the company must be prepared to assign alternate numbers, so why not base the scheme entirely on a company's own employee-number scheme? 2. Why use the SSN? Probable answer: the company already has SSNs in the personnel-records database. It is too lazy or indifferent or foolish to make up some unique anonymous numbering system for itself. 3.
.. Is this an acceptable use of (part of) social security numbers?
Depends upon personal opinion only. I think it unwise, if not dumb, especially for what would appear to be a very minor advantage that could be gained. There is no law that says you cannot do this unless your state happens to have one. Even then the law will almost certainly refer to "the SSN" and not concern itself with usage of a part of the number.
.................. What precedents exist for allowing or prohibiting such use? What precedent is set by this proposed use?
There are no legal prohibitions against use of the SSN within the private sector for record-keeping purposes. We all know that in spades. There are a few legal requirements which mandate the use of SSN; e.g., financial transactions which involve tax consequences. If the company that is considering this is a Fortune 500 and if the scheme became public knowledge, there might be a small temptation for others to follow. If the company in question is a small family business in rural Maryland, there is probably no precedent of importance. I point out that if the actual 4 digits of the SSN were traceable through or derivable from the password and if the password becomes compromised [i.e., known to a 3rd party], then 4/9 of the SSN is revealed. It might not be too difficult to construct the rest of the 9 digits. The format of the SSN is known, the significance of the various digits combinations is well known, and employment or family history might be enough to deduce the others. But then some people don't consider an SSN to be a sensitive data element; a lot of others do however.
I look forward to reading how readers would react if they faced such a proposal.
Lauren would properly decline to print my explicit views of a management that is seemingly so careless, so casual, so indifferent, so unwise, so foolish, so unbelievably ill informed and so unimaginative as to propose the use of the SSN for a trivial purpose with seemingly so little payoff, or for that matter to propose its use for any purpose other than for which it is legally required. For a good history and review of the SSN usage, see the report of the Privacy Protection Study Commission, chapter on SSN. Willis H. Ware Santa Monica, CA ------------------------------
Current thread:
- Social Security numbers and passwords Willis H . Ware (Jul 02)